[CLOSED]HaHaHack Dis: No Magisk REQUIRED!!!!

[Pachacouti]

Magisk is no more...

I present a new fool proof method of flashing su to Android 10_Q and above!!

I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.

Introducing proof!!

Simple. Instead of flashing boot.img

Flash boot-debug.img from stock.

This address's the lack of adb root.

Logs:


D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s

D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
adbd is already running as root

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim com.android.media@292000301
com.android.apex.cts.shim@1 com.android.resolv
com.android.conscrypt com.android.resolv@292000502
com.android.conscrypt@291900801 com.android.runtime
com.android.media com.android.runtime@1
com.android.media.swcodec com.android.tzdata
com.android.media.swcodec@292100201 com.android.tzdata@291900801
Armor_X5_Q:/apex # exit

D:\0\AdbStation>adb reboot bootloader

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s

D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit

------------------------

Pay attention, the first part above, I flashed a twrp...

Below, I flash stock images... without closing adb window.
--------------------------------------------------------------

D:\0\AdbStation>adb reboot bootloader

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s

D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls

Edit'd not relevant.. too long the things we can do list pissed one off...

Armor_X5_Q:/system/bin #

No MORE MAGISK!!!

It'a a feature of Android 10 and over lol... says so in the android docs....

who needs su when you have root?

SYSTEM_AS_ROOT

Voila...

it's in the understanding.

YouRoot

 

[NullCode]

1) what is this
2) you could've pastebin'd the log files bruh

{Mod edited language - Regards Oswald Boelcke}

 

[Pachacouti]

I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?

Surely xda deserve some credit, which I give by posting my flashing log here...

I know all will find what I posted will work to write a ro system.

Su and Magisk ARE dead, john wu says so...

I say this is why.

Flash boot-debug.img instead of boot.img gives

adb root

adb shell

# <- the point of root!!!

Ps, I may be a bro to my 3 sister's, but I aint no bro... :O

I find what they cant see, because they gave away the sight to see, what I see, they no longer can

Until I light the way....

 

[gringo80]

I dont use pastebin. I wanted to post my proof here. My call. thanks for the suggestion though, I mean, why send a good hack to another site when I would not have found it if it were not for comin here?

Surely xda deserve some credit, which I give by posting my flashing log here...

I know all will find what I posted will work to write a ro system.

Su and Magisk ARE dead, john wu says so...

I say this is why.

Flash boot-debug.img instead of boot.img gives

adb root

adb shell

# <- the point of root!!!

Ps, I may be a bro to my 3 sister's, but I aint no bro... :O

I find what they cant see, because they gave away the sight to see, what I see, they no longer can

Until I light the way....

1. ROOT su binary is already included in GSI builds (original author is phhusson and not topjhonwu) since the begining of the project. It's not a new thing. Here Magisk came to Hide this feature !

2. Magisk doesn't give only ROOT ... but the "systemless option" for the dynamic modules that is the half part of the whole package !

3. Have you tested SafetyNet ???

4. TWRP is already a root method since you can access to /data partition and other partitions too !

5. Oh yeah, it looks like you have an old device without dynamic partitions (aka SUPER) ...

Cheers

 

[Pachacouti]

im not using gsi, i'm using stock ma man, stock!

it's actually genuine root with stock!

Allbeit different from what we used to call root, it is ultimately a rooted boot-debug, as in:

#

Oh, for the record everyone, I'm on an A-only arm64-v8a Armor x5, the mt6762 which also claims to be mt6765, running lates updated Android 10_Q, no, NOT PIE. System-as-Root

and I would not be writtng in the system_1.32 thread if I did not have a super.img partition...

which I am currently flashing using nothing more than replacing my stock boot.img with the stock boot-debug.img, though I had to unlock bootloader to do this...

couldn't chmod the system_1.32 if the # did not show, true or false?

No Magisk... No su... the secret is in adb root not being available in user OR production builds, so use boot-debug.img to be able to type adb root to type adb shell to get #

No twrp. Stock recovery is not available, using boot-debug.img, so I flash twrp anyway.

Beat that!!!

You CANT, cause it's true... following magisk makes you think you need root when you were already given it in stock rom, (only viable if you see boot-debug.img beside your boot.img in stock folder), now if this is true, and obviously it is, then why did john wu not notice?

too busy waiting on me...

Time for a BIG update from magisk then? Not. (needed, pmsl)

Selfie Clappin Syndrome has left the buiding...

Ps, attempting magisk on boot-debug.img kills all adb and root access gained by not doing so.

I can and do flash my twrp, and have done so now, from lopstom into recovery, since normal stock recovery does NOT show when using boot-debug.img, and system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.

On with testing...

And for the record, this is where I found out what you now know:

VTS testing with debug ramdisk | Android Open Source Project

source.android.com

works on Android 10_q stock, NOTE THIS IS FOR GSI ON ANDROID 11

Im on stock. nuff said.

Oh, look... debug vendor... debug... yum yum

 

[Pachacouti]

Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...

 

[Pachacouti]

The downside is... I'm sitting with a completely rooted fone... with no root apps.

busybox is replaced with, yup, you guessed it, toybox! not by me, but comes as stock...

last I heard before discovering this was toybox IS the new busybox...

It's actually like linux without the 'custom' - in adb shell lol...

And it is indeed the desktop launcher kicking us out of writing to system in the first place, when rooting, since the desktop launcher cannot run root commands,, as it has no root rights. forcing PIE and earlier roots simply wont cut it...

I have to say it folks... upgrade...

And write some updated apps that dont hold us back!!

Oh, and I'd forget a ro system, cause even with systemrw, it's only in twrp it's of use to me, but cant save anything TO it, so kinda pointless to me for now... then I remind myself this is written for pie lol...

Edit, and I'll add this:

With only one phone to work on, so no experience in a/b partitioning, I'll assume (bein the mother of all f'up's lol) that the reason a/b partitions exist is because a pie bootloader is 2 bootloader's, split into 2 when remixed into android 10, seperating the pie users access to variant=eng being available, to having to flash boot-debug.img since windows 10.

Here's the kicker... I have yet ot flash any cusstom rom.

From stock I flash boot-debug.img, and twrp recovery, followed by the backup super_fixed.bin created by system_1.32, reboot into twrp and can instantly mount system/vendor as is expected of system_1.32, the script is only required once, if you make a back up that is...

Yet I cannot load any custom rom the usual way... twrp may show mounting system, but even when fastbooting TO system, in adb or twrp, I have to reflash a super, so forget writing overlay file systems pandering to big companies, write a writable system knowing it's all contained in a SUPER image using boot-debug as root scource.

I can however, flash a super and load an entirely different OS, rw across the board... if I flash a super.img

The kicker is having a completely new root that comes with the fone and how it works...

su is pointless, as is magisk, you are already root.

Get it?

magisk takes this away.

so if your on android 10 and over... forget magisk, load your boot-debug, and take control of your new root tool.

magisk cant see the countless other mount points made for each file for each app for each gif for each bit of binary, each has it's own mount point lol...

it's gettin that way

Final point. Open a folder, go INTO it, and run any exe. While exe is running, attempt to delete folder exe is contained in. Now you know why you cant write a ro system. Close the exe, and viola!!

You cant mount a folder you already occupy in gui of fone. Ahem.. remount /system.

It's like typing su to get #

forget su

#

The greatest trick is convincin people of security when there is in fact none when it comes to software.

Their greatest security is their idiocy.

The PARTITIONS of history have taught us not to doubt insanity and it's virtues...

 

[Pachacouti]

And for problems mounting systemrw, no problem, no root!!

Android OverlayFS Integration with adb Remount

 

[Droid_Nut]

Thank you for your efforts in a root solution.

 

[Pachacouti]

Usin the above convoluted method, I can indeed rw the ro system.

I deleted childspace apk as test. It worked.

Using only this order:

Place stock boot.img, recovery.img and boot-debug.img in the adb folder.

Also place your 'here's one I made earlier' magisk_patched_bootloader.img here.

Now the nippage:

1: Unlock stock bootloader. Reboot into bootloader, after granting adb keys.

2: Flash boot-debug - NOTHING ELSE.

3: Reboot into fone gui.

4: adb root
adb disable-verity
adb reboot - (boot into bootloader)

5: Flash magisk'd boot.img

6 (optional, I did this) Flash backed up Super_fixed.bin (had to rename to img)

7: flash twrp...

Now you can do what you want.

After this I removed the magisk'd bin, returned to my debug and the childspace app I removed stayed removed from a ro system.

So yeah, there's your door, blank vbmetas prevent rw access using this method. Use your real vbmeta when flashing boot-debug, boot debug will NOT work with magisk installed, I tried every utha way... all we really need is a nu su app that works using this method instead of simlinkin the heck out of ...

Now how to do this without the magisk step, and keep it..?

user-debug (are not user or debug img's, but the third lol)

Now they ARE hard to find, need to make one, not my cup of tea...

 

[Pachacouti]

something to add..

Busybox 1.31 Install error on Android 9 -- SOLVED · Issue #93 · meefik/busybox

OK, I managed to solve the installation issue with Android 9 on the Samsung Galaxy Tab S6. Here's how I did it: root the tablet by installing twrp, dm_verity and magisk boot into Android install ro...

github.com

 

[lebigmac]

Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.

Oh, and safety net pass's, because the debug is legit (stock boot-debug.img) lol, oh look, no magisk...

Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).

system_1.32 has just given me rw access in twrp, so systemrw actually works with no su or magisk installed.

Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.

Have fun!

 

[Pachacouti]

Hi Pachacouti. Thanks for your interest in my SystemRW project. I hope it was helpful to you.


Where can I find this stock boot-debug.img file that you're talking about? I can't find it inside my stock Xiaomi firmware (MIUI).


Yes that's true my SystemRW script should work regardless of whether Magisk is installed yet or not. All you need for it to work is a root shell in recovery.

Have fun!

To answer your first question, take the boot-debug.img from here, the first you see, and try it. if it is the same size, it will most likely work

Be aware that this is a 32mb in size bootloader, others are 64mb, they obviously wont work.
This is not to say a 64mb boot-debug.img will NOT work, it simply wont FIT.

Then be aware of a/b or a-only.

If you check the first post, from where I flashed all stock, I flashed the boot-debug.img to boot, NOT recovery. I am attempting to create a working twrp'd version for my fone, but I'm too slow for the instant gratificationist in me lol... using stock vbmeta... in otherwords, it would work, cause it's all legit, and how android 10, 11, and 12 actually work.

I find your script is a perfect find to see if we can indeed write to anything, now how to move what access you have in twrp to include mounting these 3 partitions dm-1, 2, 3, while in the actual gui...

Again, if you cant get into recovery, flash twrp to recovery after flashing boot-debug.img, It does work, but I think settings in recovery are not needed when booted to boot-debug, so the recovery is actually not necessary, but we're used to it, so NEED...

Edit, here's my boot-debug, thought I was in another thread lol..

And FFS, DONT try magisk with this, root is destroyed when doing so, this is not me dissin john wu, it's google fighting back... respect da john wu saaaa

Ps, enjoy this misunderstanding:

I flashed and ran systemrw_1.32 with NO root, no twrp, no recovery, I did it all in adb using nothing but boot-debug.img flashed to boot, with legit vbmeta.

In user builds, flashing blank vbmetas is what actually cause's the inability to manipluate ro system.

At least since PIE. Android 10_q and over... different ball game.

 

[mllllnmmn]

And for problems mounting systemrw, no problem, no root!!

Android OverlayFS Integration with adb Remount

forreal

 

[Pachacouti]

Did you know....

A few years back, when alcohol 120% came out, I downloaded a dvd that turned out to be corrupt. The image supplied by Alcohol 120% always came with an mdf file, and the disk image itself. Mdf is actually the md5 hash of the dvd.

When attempting to burn disk, I accidently chose the mdf, (md5 hash) instead of the actual disk image, and it turned out that the mdf hash reproduced the disk image byte for byte.

In otherwords, the 4.7gig dvd image was never necessary. That's 4.7gig reproducable from an md5 hash of say 100kb in size.

Now imagine this in fones. Dont store the file, store it's hash.

The CIA hate me now...

 

[Pachacouti]

Anyway, here is the process so far:

Grab the boot-debug.img below, if it works for you good.

From stock, unlocked bootloader, set adb keys:

fastboot flash boot boot-debug.img

fastboot reboot <- just to see what we got

adb root
adb disable-verity <- the proper way to disable verity. No blank vbmetas required.
adb reboot
adb wait-for-device
adb root
adb remount <- wont work, because boot-debug.img is not a user-debug version of boot-debug.img, so I need to use a magisk'd boot to gain 'other' access.. later...


Note: adb shell avbctl disable-verification is only available in user-debug builds, so instead of boot-debug.img, prob look like user-debug.img. Notice how I disable it below.

fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img 2>nul >nul <- Notice how I flash genuine vbmeta, including the end part '2>nul >nul' to flash twrp to recovery. This clears the way to flash super without flashing blank vbmetas... this will reset when flashing stock boot, so no problem to a dev...

fastboot flash recovery MyTwrp.img (rebooted after just to make sure the recovery stayed after typing '2>nul >nul' after the vbmeta) -it stayed.

fastboot flash super super_fixed.img <- Same test as above, now reboot into twrp to test rw capabilities. Mine all working.

fastboot reboot-recovery <- Go immediately to mount, tick system and vendor, if tick stays, voila, mine stays ticked...

Do twrp test using adb:

adb shell

# mount -o rw,remount rootfs /

Find way to install su lol, this is where I'm at now.

Dont say install the killer of su...

 

[Pachacouti]

I then do:

Armor_X5_Q:/ # ls -l `which su`
total 1608
dr-xr-xr-x 4 root root 0 2021-09-27 13:00 acct
drwxr-xr-x 2 root root 40 2021-09-27 13:00 apex
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 bin -> /system/bin
lrwxrwxrwx 1 root root 50 2021-09-10 01:30 bugreports -> /data/use
r_de/0/com.android.shell/files/bugreports
drwxrwx--- 6 system cache 4096 2010-01-01 00:03 cache
lrwxrwxrwx 1 root root 19 2021-09-10 01:30 charger -> /system/bin/
charger
drwxr-xr-x 4 root root 0 1970-01-01 00:00 config
lrwxrwxrwx 1 root root 17 2021-09-10 01:30 d -> /sys/kernel/debug
drwxrwx--x 55 system system 4096 2021-09-27 12:25 data
drwxr-xr-x 2 root root 0 2021-09-10 01:30 debug_ramdisk
lrwxrwxrwx 1 root root 12 2021-09-10 01:30 default.prop -> prop.de
fault
drwxr-xr-x 19 root root 3540 2021-09-27 13:00 dev
lrwxrwxrwx 1 root root 11 2021-09-10 01:30 etc -> /system/etc
drwxrwxrwx 13 root root 32768 1970-01-01 00:00 external_sd
-rw-r--r-- 1 root root 46380 2021-09-10 01:34 file_contexts
-rw-r--r-- 1 root root 865607 2021-09-10 01:30 file_contexts.bin
lrwxrwxrwx 1 root root 16 2021-09-10 01:30 init -> /system/bin/ini
t
-rwxr-x--- 1 root root 7073 2021-09-10 01:30 init.rc
-rwxr-x--- 1 root root 103 2021-09-10 01:30 init.recovery.hlthchrg.
rc
-rwxr-x--- 1 root root 58 2021-09-10 01:30 init.recovery.ldconfig.
rc
-rwxr-x--- 1 root root 312 2021-09-10 01:30 init.recovery.logd.rc
-rwxr-x--- 1 root root 8824 2021-09-10 02:14 init.recovery.microtrus
t.rc
-rwxr-x--- 1 root root 3686 2021-09-10 02:00 init.recovery.mt6762.rc

-rwxrwx--- 1 root root 854 2021-08-28 14:20 init.recovery.prepdecry
pt.rc
-rwxr-x--- 1 root root 213 2021-09-10 01:30 init.recovery.service.r
c
-rwxr-x--- 1 root root 7862 2021-09-10 01:30 init.recovery.usb.rc
drwxr-xr-x 3 root root 0 2021-09-10 01:30 license
drwxr-xr-x 5 root system 100 2021-09-27 13:00 mnt
drwxrwx--x 6 system system 4096 2021-01-01 09:33 nvcfg
drwxrwx--x 8 root system 4096 2021-01-01 08:06 nvdata
drwxr-xr-x 2 root root 0 2021-09-10 01:30 odm
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 odm_property_contexts
drwxr-xr-x 2 root root 0 2021-09-10 01:30 oem
drwxrwx--x 5 system system 4096 2021-01-01 09:33 persist
-rw-r--r-- 1 root root 32079 2021-09-10 01:30 plat_file_contexts
-rw-r--r-- 1 root root 9476 2021-09-10 01:30 plat_property_contexts
dr-xr-xr-x 359 root root 0 1970-01-01 00:00 proc
drwxr-xr-x 12 root root 4096 2009-01-01 00:00 product
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_file_contexts
-rw-r--r-- 1 root root 0 2021-09-10 01:30 product_property_contex
ts
lrwxrwxrwx 1 root root 24 2021-09-10 01:30 product_services -> /sy
stem/product_services
-rw-r--r-- 1 root root 7414 2021-09-10 01:48 prop.default
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_binaries-timesta
mp
-rw-r--r-- 1 root root 0 2021-09-10 01:30 relink_libraries-timest
amp
drwxr-xr-x 3 root root 0 2021-09-10 01:30 res
drwx------ 2 root root 0 2020-06-05 06:41 root
drwxr-x--- 2 root root 0 2021-09-10 01:30 sbin
drwxrwx--- 13 media_rw media_rw 4096 2021-09-27 13:06 sdcard
-rw-r--r-- 1 root root 465178 2021-09-10 01:30 sepolicy
drwxr-xr-x 2 root root 0 2021-09-27 13:00 sideload
drwxr-x--x 2 root root 0 2021-09-10 01:30 storage
dr-xr-xr-x 14 root root 0 2021-09-27 13:00 sys
drwxr-xr-x 7 root root 0 2021-09-27 13:09 system
drwxr-xr-x 21 root root 4096 2009-01-01 00:00 system_root
drwxrwxr-x 2 root shell 120 2021-09-27 13:07 tmp
drwxr-xr-x 5 root root 0 2021-09-10 01:55 twres
-rw-r--r-- 1 root root 0 2021-09-10 01:30 twrp_ramdisk-timestamp
-rw-r--r-- 1 root root 5900 2021-09-10 02:03 ueventd.mt6762.rc
-rw-r--r-- 1 root root 2969 2021-09-10 02:02 ueventd.rc
drwxrwxrwx 2 root root 0 2021-09-27 13:01 usbotg
drwxr-xr-x 14 root shell 4096 2009-01-01 00:00 vendor
-rw-r--r-- 1 root root 7759 2021-09-10 01:30 vendor_file_contexts
-rw-r--r-- 1 root root 218 2021-09-10 01:30 vendor_property_context
s
-rw-r--r-- 1 root root 0 2021-09-10 01:30 vendor_service_contexts

Armor_X5_Q:/ #

Edit:

drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_f
drwxrwx--- 4 system system 4096 2010-01-01 00:10 protect_s

Why dm-1, 2, 3, cant be mounted even in root.

 

[optimumpro]

Magisk is no more...

I present a new fool proof method of flashing su to Android 10_Q and above!!

I ranted and ranted about variant=user/user-debug/eng builds that I got no-where... people thinkin am dissin john wu, nah, I respect what I've learnt from his app forcing me to connect online, I want su without connecting, in order to secure my own fone.

Introducing proof!!

Simple. Instead of flashing boot.img

Flash boot-debug.img from stock.

This address's the lack of adb root.

Logs:


D:\0\AdbStation>fastboot --disable-verity --disable-verification flash vbmeta vb
lankmeta.img
Rewriting vbmeta struct at offset: 0
Sending 'vbmeta' (4 KB) OKAY [ 0.000s]
Writing 'vbmeta' OKAY [ 0.000s]
Finished. Total time: 0.016s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.404s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
MyTwrp.img
Sending 'recovery' (26086 KB) OKAY [ 0.718s]
Writing 'recovery' OKAY [ 0.406s]
Finished. Total time: 1.139s

D:\0\AdbStation>fastboot reboot-recovery
Rebooting into recovery OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
adbd is already running as root

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # mount -o remount,rw /system_root
mount: '/system_root' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /system
mount: '/system' not in /proc/mounts
1|Armor_X5_Q:/ # mount -o remount,rw /
'/dev/block/dm-1' is read-only
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd apex
Armor_X5_Q:/apex # ls
com.android.apex.cts.shim com.android.media@292000301
com.android.apex.cts.shim@1 com.android.resolv
com.android.conscrypt com.android.resolv@292000502
com.android.conscrypt@291900801 com.android.runtime
com.android.media com.android.runtime@1
com.android.media.swcodec com.android.tzdata
com.android.media.swcodec@292100201 com.android.tzdata@291900801
Armor_X5_Q:/apex # exit

D:\0\AdbStation>adb reboot bootloader

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.577s]
Writing 'recovery' OKAY [ 0.312s]
Finished. Total time: 0.889s

D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # exit

------------------------

Pay attention, the first part above, I flashed a twrp...

Below, I flash stock images... without closing adb window.
--------------------------------------------------------------

D:\0\AdbStation>adb reboot bootloader

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.499s]
Finished. Total time: 1.373s

D:\0\AdbStation>fastboot --disable-verity --disable-verification flash recovery
recovery.img
Sending 'recovery' (20646 KB) OKAY [ 0.484s]
Writing 'recovery' OKAY [ 0.328s]
Finished. Total time: 0.811s

D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
/system/bin/sh: su: inaccessible or not found
127|Armor_X5_Q:/ # exit

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # cd /system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls

Edit'd not relevant.. too long the things we can do list pissed one off...

Armor_X5_Q:/system/bin #

No MORE MAGISK!!!

It'a a feature of Android 10 and over lol... says so in the android docs....

who needs su when you have root?

SYSTEM_AS_ROOT

Voila...

it's in the understanding.

YouRoot

So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.

 

[Pachacouti]

So, your bootloader is unlocked and your bootimage-debug gives root to you and the entire world. In other words, here is the key to my house, and by the way, there is no lock. And by another way, there will be nothing left in the house soon. Nice.

Oi... EVERY rooted fone has an unlocked bootloader, your point being?

Oh... I'm taking away profit from some... never noticed until you came along.. {Mod edit}

And you trust magisk... {Mod edit}

That would not tell you of THIS exploit:

{Mod edit: Disrespectful behaviour removed - Regards Oswald Boelcke}

 

[Pachacouti]

Edit:

(Do all this offline... )

Flash magisk'd boot, but in gui, dont update internet, in fact, dont run it.

Install busybox-1.31.1-46.apk (do all this offline) but u cant install it yet, because magisk has no internet, but busybox will give you an option to install to, or edit the install.sh to say install dir / instead of /system, it did install what it could to the required directory, and if magisk'd bootloader grants su to busybox...

(it did in mine...) Reboot back into bootloader

Then reflash boot-debug.img, flash stock recovery, and reboot again, wot no magisk?

Now see:


D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ #

D:\0\AdbStation>adb root
restarting adbd as root

D:\0\AdbStation>adb remount
/system/bin/remount exited with status 2
remount failed

D:\0\AdbStation>adb shell
Armor_X5_Q:/ # su
Armor_X5_Q:/ # ^C
130|Armor_X5_Q:/ #
130|Armor_X5_Q:/ #

Notice it said nothing of user build or production build, and oh, you need to cntrl/c to exit this... then type exit... but notice who is logged in before :/

Su working in my fone, now to try with boot.img

Rememer: All stock